VPNs: How Private Are They?

No matter how big and bad a firewall sits between your corporate network
and the Internet, you’re still vulnerable to attack from a most unexpected
source—your remote secure connections.

InfoExpress, Inc. has introduced an interesting product to help plug
this security hole: CyberGatekeeper Remote Policy Enforcer. Let’s examine
how it works.

The CyberGatekeeper solution is a combo hardware/software package that
consists of a hardware server, policy manager software and agent software.
The CyberGatekeeper server evaluated was a 1U rack-mountable computer
running Red Hat Linux on a Celeron processor. You don’t have to be a Linux
expert to set up the server, as it simply boots directly into a DOS-type
menu system where you can manually configure options or have the built-in
wizards walk you through the configuration.

The multi-homed server is designed to sit between your corporate VPN
server and the corporate network. All incoming VPN connections are routed
through the server where their configurations are audited for policy compliance
and, accordingly, are granted or denied access to the network. The outside
interface uses a virtual IP address so it’s possible to have multiple
CyberGatekeeper servers on the same segment for load-balancing purposes.
The agent can only be installed on Windows operating systems.

When a remote computer establishes an inbound VPN connection, the agent
collects information about the computer, including the operating system,
vendor-specific anti-virus program, vendor-specific personal firewall
program, as well as a slew of other security-related audits. This information
is passed on to the CyberGatekeeper server where it’s compared against
predefined policies (see the figure). If the audit fails, the remote computer
is denied access. You can configure a custom message that’s passed onto
the client to indicate why the failure occurred, and the user can then
make the appropriate changes to bring his or her computer into compliance.

You can define comprehensive policies that require
a minimum configuration in order for a remote computer to access the
corporate network. (Click image to view larger version.)

I created a sample policy that required that the remote computer run
Windows XP. When I made the VPN connection, the computer passed the audit,
as it was running Windows XP. When I changed the policy to require a BlackIce
Defender personal firewall, the audit failed and access was denied because
I was using the built-in XP firewall. You can define multiple criteria
for the policy based on required or desired minimum configurations. You
can also audit the registry for specific values (for example, making sure
the RUN ONCE value is blank, as many viruses and Trojans will modify this
registry entry).

CyberGatekeeper is an innovative solution that can protect these entry
points through audited compliance with corporate security policies. It’s
easy to configure even for the non-Linux expert and doesn’t require that
your remote employees be techies. When it comes to securing the corporate
network, CyberGatekeeper offers a viable solution for keeping VPNs private.

About the Author

James Carrion, MCM R2 Directory, MCITP, MCSE, MCT, CCNA, CISSP has worked as a computer consultant and technical instructor for the past 16 years. He’s the owner of and principal instructor for MountainView Systems, LLC, which specializes in accelerated Microsoft Certification training.